Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] Config Explorer doesn't include cipher groups with the applications #213

Open
f5-rahm opened this issue May 25, 2023 · 1 comment
Open

[RFE] Config Explorer doesn't include cipher groups with the applications #213

f5-rahm opened this issue May 25, 2023 · 1 comment
Assignees
@DumpySquare
Labels
enhancement New feature or request

Comments

@f5-rahm
Copy link
Contributor

f5-rahm commented May 25, 2023
edited
Loading

I was working with existing legacy config to create an AS3 version of it for some tmsh scripting work. I thought ACC was missing it, but in config explorer, the client-ssl profile reference to a cipher-group doesn't result in the cipher group and associated cipher rules appearing in the explorer view, so ACC doesn't have those objects to convert.

Source config:

ltm profile client-ssl /Common/cssl.TestSuite {
    app-service none
    cert-key-chain {
        default {
            cert /Common/default.crt
            key /Common/default.key
        }
    }
    cipher-group /Common/cg_TLSv1.3
    ciphers none
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    options { dont-insert-empty-fragments }
}

Resulting ACC generated AS3 declaration:

                "cssl.TestSuite": {
                    "certificates": [
                        {
                            "certificate": "certificate_default"
                        }
                    ],
                    "class": "TLS_Server",
                    "tls1_0Enabled": true,
                    "tls1_1Enabled": true,
                    "tls1_2Enabled": true,
                    "tls1_3Enabled": true,
                    "singleUseDhEnabled": false,
                    "insertEmptyFragmentsEnabled": false
                },

If I add the cipher group and cipher rule to that source config:

ltm profile client-ssl /Common/cssl.TestSuite {
    app-service none
    cert-key-chain {
        default {
            cert /Common/default.crt
            key /Common/default.key
        }
    }
    cipher-group /Common/cg_TLSv1.3
    ciphers none
    defaults-from /Common/clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain true
    options { dont-insert-empty-fragments }
}
ltm cipher group /Common/cg_TLSv1.3 {
    allow {
        /Common/cr_TLSv1.3 { }
    }
}
ltm cipher rule /Common/cr_TLSv1.3 {
    cipher TLSv1_3
    dh-groups DEFAULT
    signature-algorithms DEFAULT
}

Then ACC coverts it as expected:

                "cssl.TestSuite": {
                    "certificates": [
                        {
                            "certificate": "certificate_default"
                        }
                    ],
                    "cipherGroup": {
                        "use": "/Common/Shared/cg_TLSv1.3"
                    },
                    "class": "TLS_Server",
                    "tls1_0Enabled": true,
                    "tls1_1Enabled": true,
                    "tls1_2Enabled": true,
                    "tls1_3Enabled": true,
                    "singleUseDhEnabled": false,
                    "insertEmptyFragmentsEnabled": false
                },
                "cg_TLSv1.3": {
                    "allowCipherRules": [
                        {
                            "use": "/Common/Shared/cr_TLSv1.3"
                        }
                    ],
                    "class": "Cipher_Group"
                },
                "cr_TLSv1.3": {
                    "cipherSuites": [
                        "TLSv1_3"
                    ],
                    "namedGroups": [
                        "DEFAULT"
                    ],
                    "signatureAlgorithms": [
                        "DEFAULT"
                    ],
                    "class": "Cipher_Rule"
                }
@DumpySquare DumpySquare changed the title Config Explorer doesn't include cipher groups with the applications [RFE] Config Explorer doesn't include cipher groups with the applications Jun 19, 2023
@DumpySquare DumpySquare self-assigned this Jun 19, 2023
@DumpySquare DumpySquare added the enhancement New feature or request label Jun 19, 2023
@DumpySquare
Copy link
Member

@f5-rahm , can you provide a more complicated cipher group example or a couple of them? This is going to get a couple layers deep, so I figure I will just work through all the cases while we are at it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DumpySquare DumpySquare

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DumpySquare @f5-rahm